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To all whom it may concern: 



Be it known that, Li YUAN and Jun YAN, have invented certain new and useful 
improvements in a 



METHOD AND SYSTEM FOR IMPLEMENTING TRAVERSAL THROUGH 
NETWORK ADDRESS TRANSLATION 

of which the following is a description: 
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Method and System for Implementing Traversal through 
Network Address Translation 

Field of the Invention 

[0001] The invention relates to communication techniques in Next Generation 
Network (NGN), and in particular, to a method and system for implementing traversal 
through Network Address Translation. 

Background of the Invention 

[0002] NGN is a milestone in the history of telecommunications, which marks 
the arrival of a new generation of teleconraiunication network. From a viewpoint of 
development, NGN is a kind of network which gradually converts from a traditional 
Public Switched Telephone Network (PSTN) adopting circuit switched technique to a 
packet-switched network. The NGN bears all the services of the PSTN, and shifts a 
mass of data transmission to an Internet Protocol (IP) network for reducing heavy load 
of the PSTN, thus it enhances the performance of many services, no matter new or old, 
with the help of new features of IP technology. In this sense, NGN is the result of 
integration of voice PSTN based on Time Division Multiplexing (TDM) and packet 
networks based on Internet Protocol/ Asynchronous Transmission Mode (IP/ATM), 
which makes it possible to implement integrated services of voice, video, and data on 
a new generation network. At present, the NGN has become a focus of research. 

[0003] The NGN may be divided into four layers in terms of functions, i.e., 
access and transmission layer, media transfer layer, network control layer, and 
network service layer. A SoftSwitch provides the NGN with the function of call 
control and connection control of services with real-time requirement, which forms 
the key portion of call and connection of NGN. A SoftX is a key member of the 
network control layer of NGN and is a device to provide integrated services and call 
control, of which the main functions include, call control, signaling gateway, gateway 
control, integrated services, and enhancing services. 

[0004] As the NGN is put into commercial use from experiment, access of 
NGN subscribers becomes an increasingly severe problem. Since the NGN is a 
network bom by a packet network, accessing subscribers are all addressed by IP 
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addresses. However, dile to reasions as shortage of IP addresses on existing public 
networks as well as security, a large number of Enterprise and Premise networks 
adopt private IP addresses to access a public network via a Network Address 
Translation (NAT) server or a Firewall (FW). In the following, a Network Address 
Translation server or a Firewall is denoted as NAT/FW for convenience. 

[0005] At present, however, in an NGN, when IP is adopted as the bearer of 
voice and video protocols such as H.323, Session Initiation Protocol (SIP), Media 
Gateway Control Protocol (MGCP), and H.248, since there are addresses in the load 
of a message that are different from addresses in the message header, it is impossible 
for a control channel/media channel of these protocols to traverse traditional NAT/FW 
devices and interwork with a public network. The specific reasons may be presented 
through the following analysis of NAT/FW: 

[0006] A firewall, i.e., FW, is used for limiting entries of packets into a 
network. Typically, some packet filtering principles are set, and the FW may detect 
conformity of the packets with the filtering principles by checking the source address, 
the designation address, the source port, the designation port, and the protocol of each 
of the packets. Only when the packets are in agreement with the filtering principles 
would they be permitted to pass the firewall. In practical applications, servers needing 
to be accessed by the outside, such as Web servers, are usually placed inside a firewall. 
Then, the firewall could be configured to allow passing of all the packets sent to the 
ports of these servers. In multimedia communications, however, even if a firewall 
allows the entering of packets sent to a fixed port that originally set up a call, since 
audio/video communications need to set up channels for transmitting and receiving 
data by assigning ports dynamically, which involves a larger range of addresses and 
ports, it is unable to learn in advance the information of IP addresses and ports of 
internal terminals, and it is impossible for the firewall to open a large filtering range 
for the packets without regarding the security of the local area network. 

[0007] On the other hand, there exist some reasons related with NAT: 

[0008] A NAT is used for shielding IP addresses of a Local Area Network 
(LAN) and protecting mainframes of the LAN from being attacked from the outside. 
As the addresses used inside a LAN can not be addressed in a public network, when 
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the designation address of a packet is an .internal address of the LAN, the packet has 
to be discarded. In multimedia communications, if the address of the called party of 
H.323 is a LAN address, it is impossible for the packets of this call to reach a tenninal 
inside the LAN. When a call is sent from inside the LAN to the outside, the IP address 
of the calling party, i.e., an IP address of the LAN, and the port information thereof 
will be loaded in the data packet. After receiving the packet, the called party may send 
audio and/or video streams according to the source IP address and port in the load of 
the packet. When this IP address is an IP unable to be used for route addressing, that 
is, when the circumstance that the IP address of the LAN is unable to be used for 
route addressing occurs, routers over the Internet have to discard packets with this IP 
address. As a result, although it seems apparent that the call has been established, 
terminals inside the NAT are actually unable to receive audio and video streams from 
external terminals. Besides, the NAT is adopted to perform network address/port 
translation so as for multiple terminals in a LAN to share a smaller number of IP 
addresses of a public network, e.g., when a terminal in a LAN is executing an 
application, the IP address and port thereof in the LAN are mapped into the external 
network IP address and port of a gateway. In multimedia communications, only when 
the channel of a multimedia stream is set up from inside to outside will a NAT device 
be able to establish a mapping relation for corresponding ports, and thus, the 
multimedia stream that is transferred to the external network IP address of the 
gateway could be transferred correctly to the terminal in the LAN. If the channel of a 
multimedia stream is set up from outside to inside, a NAT device could not be able to 
establish a mapping relation, and the transmission of the multimedia stream will fail. 
Moreover, in case that the channel is maintained with a mechanism of time-out, and 
there is no data being transferred during the period of time-out, the mapping relation 
will be cancelled. In multimedia communications, when it is needed to suspend the 
transmission of multimedia data in the channel for a long time, certain measures 
would be needed to maintain the setup state of the channel. 

[0009] The problem why audio and/or video services are not able to traverse 
the NAT/FW is presented above. However, since one of the main advantages of the 
NGN is to provide subscribers with abundant services of various types, especially 
integrated services of voice, data, and video for enterprise subscribers, a solution for 
the above problem is more pressing, and this problem has so far become the largest 
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obstacle to the promotion of NGJ^ servic.es.' On th6 other hand, since most broadband 
access networks are not part of the network of an operator, it is impossible for the 
operator to give uniform planning for. the broadband access networks, and if is 
difficult to solve the issues such as IP addresses of an access network, Quality of 
Service (QoS), security, and differentiation of real-time session services with data 
services, which have become significant matters worrying the network operators. 

[0010] Presently, approaches in prior art of the industry include an 
Application Layer Gateway (ALG) mode, a Middlebox Communication (MIDCOM) 
mode, a Simple Traversal of User Datagram Protocol (UDP) Through Network 
Address Translators (STUN) mode, and a Traversal Using Relay NAT (TURN) mode. 

[0011] A brief description is hereinafter given to the above approaches in prior 

art. 

[0012] The first is an ALG mode. An ordinary NAT implements address 
translation by modifying the address information in the header of a UDP or Transfer 
Control Protocol (TCP) message. Some applications bearing on TCP/UDP, however, 
e.g., "end-to-end" applications such as performing multimedia conversation, file 
sharing, and games, need to carry address information in the load of TCP/UDP 
message. Usually, the application writes its own address in the load of TCP/UDP 
message, and this address information is modified into an external address on the 
NAT when the information passes the NAT, which is commonly mentioned as the 
ALG mode. 

[0013] At present, functions of the ALG mode mainly reside in some 
NAT/Firewall devices which are required to possess the intelligence of identifying 
applications. Meanwhile, every newly-added application requires an updating of the 
NAT/Firewall. 

[0014] In terms of applications of NGN services, the ALG mode has to 
support the identification of Voice over IP (VoIP) protocol and video protocols such 
as H.323, SIP, and MGCP/H.248 as well as support the control of NAT/Firewall so as 
to ensure the smooth traverse of NGN services. 
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[0015] The key point of- ^the AJJG mode is: internal terminals of an 
Enterprise/Premise network are able to breakthrough NAT/ALG devices to register on 
the SoftX of a public network, and then the SoftX could perform protocol analysis and 
call processing. Since the SoftX of the public network and the enterprise terminals 
perform interaction by means of SIP/H.323/H.248, the NAT/ALG devices have to 
recognize signalings of SIP/H.323/MGCP/H.248 to form channels for multimedia 
streams and provide support for the smooth traverse of the multimedia streams 
through NAT/FW. 

[0016] The ALG mode is the simplest approach to support NGN applications. 
Unfortunately, since a large number of NAT/FW devices not supporting NGN service 
applications have been deployed on the networks, this approach is inapplicable. 

[0017] The second is a MIDCOM mode. What is different from the ALG 
mode is the architecture of the MIDCOM mode comprises a mechanism of controlling 
the Middlebox by means of an authentic third-party MIDCOM agent, and the 
intelligence of application recognition is transferred to an external MIDCOM agent. 
Therefore, the application protocol is transparent to the Middlebox. 

[0018] Since the intelligence of application recognition is transferred from the 
Middlebox to an external MIDCOM agent, according to the architecture of the 
MIDCOM, without modifying the basic features of the Middlebox, more new services 
will be sustained by updating the MIDCOM agent, which is a prominent advantage 
compared with the ALG mode. 

[0019] In practical applications of NGN services, the function of Middlebox 
may reside in NAT servers or FWs (NAT/FWs) while the function of MIDCOM agent 
may reside in SoftXs. As a MIDCOM agent in the SoftX is employed to implement 
recognition of VoIP and video protocols such as H.323, SIP, MGCP/H.248 as well as 
implement control of NAT/FWs, the MIDCOM mode may be taken as a solution to 
the traversal of NGN services through NAT/FW. 

[0020] The key of the MIDCOM mode is: the SoftX in a public network 
performs control on NAT/FW devices at the edge of private networks, and identifies 
SIP/H.323/MGCP/H.248 protocols at the calling and called sides. If both the calling 
and called party are subscribers of the same intraoffice, the SoftX needs to control the 
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NAT/FWs at both sides of the calling and tfie calleU party by means of the MIDCOM 
protocol so that a media stream could traverse the NAT/FW smoothly after a channel 
of the media stream is set up on the NAT/FW. 

[0021] As the SoftX has implemented the recognition of 
SIP/H323/MGCP/H248, die only need is to add the MIDCOM protocol onto the 
NAT/FW device, and later on, the recognition of new applications will be provided as 
long as these applications are supported by the SoftX. Therefore, this approach is a 
relatively promising solution except that the existing NAT/FW devices have to be 
updated to support the MIDCOM protocol. 

[0022] The third is a STUN mode. Another idea for solving the NGN NAT 
issue is: a user terminal in a LAN obtains in advance an external address of an exit 
NAT corresponding to the internal address, and then this external address of the exit 
NAT rather than the BP address of this user terminal in the LAN will be directiy 
written as the address information described in the message load. Thus, there is no 
need to modify the contents in the message load when the message passes the NAT 
but only to translate the IP address in the message header following the common NAT 
procedure, and the IP address information in the load is consistent with the IP address 
information in the message header. That is how the STUN protocol solves the 
problem of converting application layer addresses. 

[0023] With the STUN mode, the application of a subscriber, as a STUN 
client, sends a STUN request message to a STUN server outside the NAT via the 
UDP, and the STUN server receives the request message and produces a response 
message which carries the source port information of the request message, i.e., the 
external port information of the NAT corresponding to the STUN client. Then, the 
response message is sent to the STUN client via the NAT, and the STUN cUent learns 
its corresponding external address on the NAT through the contents of the response 
message and fills this external address into the UDP load of later-on call protocols to 
tell the opposite end that the receiving address and port number of Real-time Transfer 
Protocol (RTP) of this end is the address and port number outside the NAT. Since the 
NAT mapping list items of media streams have been established in advance on the 
NAT by means of the STUN protocol, media streams could be able to traverse 
through the NAT smoothly. 
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[0024] The most significant advantage of th6 STUN protocol is that there is no 
need to make any modification on the existing NAT/FWs. Since there have been large 
numbers of NAT/FWs in the existing networks and such NAT/FWs can not support 
Voice over IP (VoIP) applications, if the MIDCOM or NAT/ALG mode is employed 
to solve the problem of traversal, the existing NAT/FWs have to be replaced, which is 
not easy. If the STUN mode is employed, the existing NAT/FW s need not be changed, 
which is the biggest dominance of this mode, and it can be applied in the network 
environment with multiple NATs connected in series, while the MIDCOM mode is 
unable to have an effective control on multi-level NATs. 

[0025] The STUN mode requires the STUN server be placed in the public 
network, i.e., in the SoftX of the public network. Since the NAT mapping list items of 
media streams have been established in advance on the NAT by means of the STUN 
protocol, media streams could be able to traverse through the NAT smoothly. 

[0026] The limitation of the STUN mode is that it requires applications to 
support the STUN CLIENT functions, i.e., the network terminals of NGN are 
demanded to support the STUN CLIENT functions. Meanwhile, the STUN mode is 
not suitable for the traversal through TCP connections, e.g., it can not support the 
application protocol of H.323. In addition, the STUN mode does not support the 
traversal of NGN services through a firewall, nor does it support the traversal through 
a NAT with a synmietrical type. 

[0027] The fourth is a TURN mode. Similar to the STUN mode, the idea of 
solving the NAT issue by the TURN mode is that a subscriber accessing the public 
network via a private network obtains in advance the address of the public network 
corresponding to the private address thereof, and then this address of the public 
network is written as the address information described in the message load. The 
difference between the STUN mode and the TURN mode lies in that the address 
obtained in advance in the STUN mode is the address of an exit NAT while that 
obtained in the TURN mode is the address of the TURN server. 

[0028] A model of the TURN application is shown as Figure 1. A system 
implementing the TURN mode includes packet user terminals 10 and 11, NAT/FWs 
20 and 21, SoftXs 40 and 41, as well as a TURN SERVER 50. Addresses and ports in 
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the TURN SERVER are -assigned as the exteraal receiving addresses and ports of 
TURN CLIENTS, i.e., all the messages from the user terminals in the LAN may be 
relayed and forwarded via the TURN SERVER, which, worth noting, is the most 
significant difference between the STUN mode and the TURN mode. Besides the 
virtues of the STUN mode, the TURN mode would solve the problem of the STUN 
mode on supporting traversal of the applications through symmetric NATs and 
firewall devices, i.e., it is able to implement traversal through any types of NATs in an 
Enterprise/Premise network. In addition, the TURN mode supports applications based 
on TCP, such as H.323 protocol. Furthermore, it is the TURN SERVER that controls 
the assignment of addresses and ports, which makes it possible to assign Real-time 
Transfer Protocol/Real-time Transfer Control Protocol (RTP/RTCP) addresses as 
receiving addresses of clients at this end, where a port number of RTCP is the port 
number of RTP plus 1, thereby avoiding the random assignment of RTP/RTCP 
addresses in the STUN mode which may result in that the clients are unable to receive 
the RTCP messages sent from an opposite end. 

[0029] The limitation of TURN is that it requires terminals to support TURN 
CLIENT, which is the same as the STUN mode for network terminals. Apart from 
that, all messages should be forwarded via a TURN SERVER, and thus, it is more 
likely to delay and lose packets. 

[0030] To sum up, there exist following shortcomings in the above four 
schemes, respectively: 

[0031] The ALG mode requires modification of large numbers of existing 
NAT/FWs, and the NAT/FWs at this time can not support changes of services. 
Meanwhile, as the ALG mode is unable to recognize the enciphered contents of a 
message, it requires the message be transferred in plain text, which brings potential 
risks to the security of the message during transmission in a public network. 

[0032] As to the MIDCOM mode, it requires updating of large numbers of 
existing NAT/FWs to support the MIDCOM mode. In addition, it is difficult for 
operators to update and manage the NAT/FWs belonging to enterprises. 

[0033] The TURN mode requires network terminals of NGN to have the 
function of TURN CLIENT. Moreover, if the receiving port of a signaling of a 
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multimedia terminal is not identical with the' transmitting port thereof, the 
inconsistence between RTP/RTCP receiving port and transmitting port may lead to 
failure of traversal through NAT. 

[0034] The STUN mode has the same problem with the TURN mode, i.e., it 
requires support from network terminals and the traversal through NAT may be 
defeated in the case of inconsistent configuration of receiving and transntiitting ports. 
Apart from that, the STUN mode does not support the traversal through TCP 
connections and symmetric NATs. 

[0035] The main reasons causing the above disadvantages is ttiat, on one hand, 
the implementation of ALG, MIDCOM, STUN, and TURN requires support from 
NAT/FWs or user terminals; on the other hand, the inherent drawbacks of each of the 
approaches disable them in the face of some applications. 

Summary 

[0036] This invention is to provide a method and system for implementing 
traversal through network address translation (NAT) so that no reconstruction of 
existing NAT/FWs and user terminals is needed for traversal in any networking forms. 

[0037] The method for implementing traversal through NAT includes the 
steps of: 

[0038] when a proxy server outside a Network Address Translation (NAT) 
server or a Firewall (FW) receives a signaling message from a packet user terminal in 
a first network, the proxy server analyzing the information loaded in the signaling 
message, recording the address and port of the call signaling and the address and port 
of Real-time Transfer Protocol (RTP) and Real-time Transfer Control Protocol (RTCP) 
of media stream loaded in the message, modifying the address and port of call 
signaling loaded in the message into the address and port of call signaling of a second 
network assigned for this call by the proxy server, and modifying the address and port 
of RTP and RTCP of media stream loaded in the message into the address and port of 
the second network assigned for the media stream by the proxy server; 

[0039] the proxy server delivering the modified signaling message to a 
processing device of packet voice signaling or a service processing device; 
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[0040] when receiving a response signahng'" message sent to the packet user 
terminal in the first network, the proxy server analyzing the information loaded in the 
response signaling message, modifying the address and port of response signaling in 
the information loaded in the message into the recorded address and port of call 
signaling, and modifying the RTP and RTCP address and port of media stream loaded 
in the message into the recorded RTP and RTCP address and port of media stream 
recorded in Step A; 

[0041] the proxy server sending the modified response signaling message to * 
the packet user terminal in the first network. 

[0042] Before Step A, the method further comprises: 

[0043] the packet user terminal in the first network sends to said proxy server 
the signaling message which is first sent to the NAT/FW; the NAT/FW assigns an 
address/port of the public network for the signaling message, modifies the source 
address in the IP header of the signaling message from the address/port of the first 
network into the assigned address/port of the public network, and records in the 
mapping relations of signaling addresses a corresponding relation between the 
address/port of the first network and the address/port of the public network assigned 
by the NAT/FW before forwarding the signaling message to said proxy server. 

[0044] After performing Step A, the method further comprises: 

[0045] said proxy server initiates messages periodically to said packet user 
terminal in the first network, refreshing the mapping relations of signaling addresses 
on the NAT/FWs. 

[0046] Step A further comprises: 

[0047] when receiving the call signaling from the packet user terminal in the 
first network, said proxy server records the address and port in the IP header of the 
call signaling, and modifies said address and port into the address and port of call 
signaling in the second network assigned for this call by said proxy server; and 

[0048] step C further comprises: 
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[0049] when receit^ing a call signaling sent to the packet user terminal in the 
first network, said proxy server modifies the address and port in the IP header of the 
call signaling into the recorded address and port of the IP header of the call signaling. 

[0050] Here, said processing device of packet voice signaling or service 
processing device is a soft-switching device or a voice over IP gatekeeper device. 

[0051] A system provided in this invention for implementing traversal through 
Network Address Translation (NAT) includes: 

[0052] a packet user terminal located in a first network, for initiating and 
receiving services; 

[0053] a proxy server located in a second network, for receiving signaling 
messages from the packet user terminal in the first network, analyzing the information 
loaded in the signaling message, recording the address and port of call signaling 
loaded in the message as well as the address and port of media stream thereof, 
modifying the address and port of call signaling loaded in the message into the 
address and port in the second network assigned for this call by the proxy server, and 
modifying the address and port of media steam loaded in the message into the address 
and port of the second network assigned for the media stream by the proxy server 
before sending the modified signaling message to a soft-switching device; 

[0054] when receiving a response signaling sent to the packet user terminal in 
the first network, the proxy server analyzes the information in the message load of the 
response signaling, modifies the address and port of response signaling in the message 
load into the recorded address and port of call signaling, and modifies the address and 
port of media stream carried in the message load into the recorded address and port of 
media stream before sending the modified response signaling to the packet user 
terminal in the first network; and 

[0055] the soft-switching device, which is for providing integrated services 
and call control, forwarding to the proxy server the response signaling message sent to 
the packet user terminal when the response message is received. 

[0056] The system further comprises: 
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[0057] a NAT/FW, for providing services of accessing the second network for 
said packet user terminal and transnutting messages between said packet user terminal 
and said proxy server. 

[0058] Said packet user terminal is a user terminal performing audio and video 
conmiunications by means of H.323 protocol. Session Initiation Protocol (SIP), Media 
Gateway Control Protocol (MGCP), or H.248 protocol. 

[0059] Said proxy server is used for charging based on flow volumes. 

[0060] Said proxy server is used for conducting access control of users and 
bandwidth management, and enciphering Quality of Service labels of media streams. 
Virtual Private Network labels and information. 

[0061] Said proxy server is used for configuring multiple pairs of addresses of 
the first network and the second network, and implementing traversal through 
multiple NAT/FWs. 

[0062] For the interaction of media streams, said proxy server updates session 
Ust items or hst items of address translating relation of media streams by adopting a 
first-packet refreshing approach. 

[0063] It can be seen by comparison that the difference between the present 
invention and the prior art lies in that a proxy server is employed in this invention for 
traversal through NAT/FWs, and the proxy server converts not only the address/port 
in the IP header of a message but also the signaling address/port carried in the 
message as well as the RTP/RTCP address/port. 

[0064] The difference of the present invention comparing with the prior art is 
likely to bring visible benefits, i.e., the solution of this invention requires no 
reconstruction or modification on NAT/FW devices or service terminals; implements 
traversal through multi-layer NATs and synmietric NATs as well as through exit 
NAT/FWs of multiple Enterprise/Premise networks; provides control fiinction for user 
access, provides encryption for QoS labels and information of media streams, 
guarantees the QoS of real-time session services of access network and the security 
thereof, and at the same time, provides the function of updating the NAT mapping 
table and the function of flow-based charging. 
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Brief Description of the Dratiings 

[0065] Figure 1 shows a system architecture in the TURN mode; 

[0066] Figure 2 shows a system architecture in the FULL PROXY mode in 
accordance with an embodiment of the present invention; 

[0067] Figure 3 is a flowchart for implementing NAT/FW traversal in the 
FULL PROXY mode in accordance with an embodiment of this invention. 

Embodiments of the Invention 

[0068] Detailed descriptions for embodiments of this invention are hereinafter 
given with reference to the accompanying drawings. 

[0069] In an embodiment of this invention, a FULL PROXY mode is adopted 
and the traversal through an exit NAT/FW is implemented by simultaneously relaying 
the call signaling and the media stream of a user terminal within a private network. 

[0070] Figure 2 is a schematic diagram illustrating an architecture of an 
embodiment of the system in the FULL PROXY mode in accordance with an 
embodiment of the present invention. For the sake of highlighting this embodiment, 
only portions closely related to the, embodiment are shown in Figure 2. 

[0071] As shown in Figure 2, the system in this embodiment includes packet 
user terminals 10 and 11, NAT servers or FWs (NAT/FWs) 20 and 21, a proxy server 
30, soft-switching devices (SoftX) 40 and 41. Here, the packet user terminals 10 and 
1 1 belong to different networks, and are connected with the PROXY SERVER 30 via 
the NAT/FWs 20 and 21, respectively; and the PROXY SERVER 30 is connected 
with the SoftXs 40 and 41. In the figure 2, solid lines represent media streams while 
dotted lines represent signaling streams. 

[0072] The packet user terminals 10 and 11 refer to user terminals 
conmiunicating by means of audio/video protocols, such as H.323, SIP, MGCP, and 
H.248. The packet user terminals are initiators and receivers of multimedia services, 
and when they are in a private network, they can access a pubUc network via the 
NAT/FWs 20 and 21, respectively. It should be noted that the private network and the 
public network mentioned in this invention are only specific cases while, in fact, the 
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present invention is applicstble to any two networks', e.g., different LANs, or one is a 
LAN and the other is an external pubUc network. When one network is within a 
NAT/FW, it is considered as a private network, while the other network outside the 
NAT/FW is considered as a public network. 

[0073] The NAT/FWs 20 and 21 refer to devices for implementing functions 
of NAT and Firewall, which are typically configured at the position where a private 
network is connected with a public network. On one hand, the NAT/FWs function to 
prevent data packets from entering the private network unlimitedly, and protect 
mainframes of the private network from being attacked by the outside; on the other 
hand, they shield IP addresses of the private network through translation of network 
addresses and/or ports so that multiple user terminals in the private network could 
share a small number of IP addresses of the public network. 

[0074] The PROXY SERVER 30, which is similar to a TURN SERVER in 
prior art, is configured in the convergence layer of a metropolitan area network (MAN) 
for implementing functions of FULL PROXY, i.e., functions of signaling agent and 
media relay. Specifically, when receiving a signaling message from the packet user 
terminal 10, the PROXY SERVER 30 analyzes and processes the load of die 
signaling message, and obtains the address/port in the IP header of the signaling 
message, the address/port of the call signaling in the load of the signaling message as 
well as the address/port of the user terminal for receiving media streams, where the 
addresses/ports are addresses/ports of the private network. In addition, the PROXY 
SERVER 30 assigns call signaling addresses/ports of the public network for the 
signaling message, the call signaling in the load of the signaling message, and the user 
terminal to receive media streams, respectively, and records the corresponding 
relations between the private-network addresses/ports and the public-network 
addresses/ports depicted above. 

[0075] Thereafter, modify the address/port in the IP header of the signaling 
message into the address/port of signaling message in the public network assigned for 
the call by the PROXY SERVER 30, modify the address/port of the call signaling in 
the load of the signaling message into the address/port of the public network assigned 
for the call by die PROXY SERVER 30, and modify the address/port of the media 
stream in the load of the signaling message into the address/port of the public network 
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assigned for the media ' stream by the PROXY SERVER 30. After address 
modification, send the signaling message to the SoftXs 40 and 41. When receiving the 
signaling message sent from the SoftXs 40 and 41 to the packet user terminal 10, the 
PROXY SERVER 30 obtains the address/port of the private network corresponding to 
the address/port in the IP header of the signaling message, the call signaling 
address/port of the private network corresponding to the call signaling address/port in 
the load of the signaling message, and the media stream address/port of the private 
network corresponding to the media stream address/port in the load of the signaling 
message according to the recorded corresponding relations in the PROXY SERVER 
30 itself, and modifies the address/port in the IP header of the signaling message into 
the address/port of the IP header of signaling message in the private network, 
modifies the call signaling address/port in the load of the signaling message into the 
call signaling address/port in the private network, modifies the media stream 
address/port carried in the signaling message into the media stream address/port in the 
private network, and then forwards the message according to the modified address in 
the IP header of the signaling message. In this way, call signalings and media streams 
can be transfered via the PROXY SERVER 30 between a calling party and a called 
party. 

[0076] It is understood by persons skilled in the art of this invention that the 
PROXY SERVER 30 may configure multiple pairs of IP addresses. If multiple 
private-network IP addresses or public-network IP addresses have been configured on 
the PROXY SERVER 30, traversal through exit NAT/FWs of multiple 
Enterprise/Premise networks or proxy of multiple SoftXs may be implemented at the 
same time with one device. This approach ensures that media streams are correcdy 
forwarded whichever networking mode the PROXY SERVER 30 is in and whether or 
not the NAT is symmetric. 

[0077] In addition, by the analysis and processing for the signalings, the 
PROXY SERVER 30 not only learns the conditions of address translation in a session, 
but also obtains the QoS information, such as bandwidth demand. Thus, the PROXY 
SERVER 30 is able to control the enabling and disabling of the pass of media streams 
through state information of the session so as to protect the network and prevent the 
bandwidth from being thieved. The PROXY SERVER 30 can provide functions of 
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user access control, bandwidth management, and 'encryption for the QoS label of 
media stream as well as the label and information of Virtual Local Area Network 
(VLAN). 

[0078] In order to prevent the aging of a NAT mapping list, this invention also 
introduces a periodical updating mechanism for address binding relations of NAT, i.e., 
after analyzing the signaling and obtaining the address, the PROXY SERVER 30 will 
periodically send a message to the packet user terminal 10 to refresh the mapping 
relations of signaling addresses on the exit NAT/FW 20 of the enterprise network, 
where the mapping relations refer to corresponding relations between IP 
addresses/ports of the private network and IP addresses/ports of the public network, 
assigned by the NAT/FW 20. After implementing the traversal of the signaling 
address through the exit NAT of the enterprise network, the PROXY SERVER 30 
takes a first-packet refreshing approach to update list items of the session or list items 
of the address translation relation of the media stream for accomplishing media 
streams interaction, i.e., after the media stream sent from the terminal arrives at the 
PROXY SERVER 30 before performing translation on the exit FAT/FW 20 of the 
enterprise network, the PROXY SERVER 30 learns the information of the 
address/port dynamically assigned on the exit NAT/FW 20 from the first-packet, 
thereby updates the session list items of the media stream, establishes a complete 
session list of the media stream, and completes media forwarding when located in the 
public network and connected to multiple enterprise networks. 

[0079] After the PROXY SERVER 30 is introduced into the system, as media 
streams from both the calling party and the called party are relayed via the PROXY 
SERVER 30, it is possible for the PROXY SERVER 30 to obtain accurate flow 
volume of the media stream, thereby implementing flow-based charging rather than 
traditional charging based on time duration. 

[0080] The SoftXs 40 and 41 are soft switching devices which, as key 
components in the network control layer of NGN, are adopted to provide integrated 
services and call control. After receiving signaling messages sent from the public 
network to a packet user terminal in the private network, the SoftXs 40 and 41 
forward the received messages to the PROXY SERVER 30. 
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[0081] The method for tfayersing^NAT/FW based on the FULL PROXY 
mode in accordance with the present invention is hereinafter further described with 
reference to a specific embodiment. 

[0082] As a preferred embodiment of this invention, it is assimied in this 
embodiment that the packet user terminal 10 initiates a relevant service to the packet 
user terminal 11, the procedure of which is as shown in Figure 3: 

[0083] Step 200: The packet user terminal 10 in a private network sends a 
signaling message to the PROXY SERVER 30, where the signaling message contains 
registration and call information, and the source address of the IP header of the 
signaling message is an address of the private network. The packet user terminal 10 
takes the PROXY SERVER 30 as a soft-switching device. Specifically speaking, the 
signaling message originated from the packet user terminal 10 is first sent to the 
NAT/FW 20. The NAT/FW 20 assigns an address/port of the public network for the 
signaling message, changes the source address of the IP header of the message from 
the address/port of the private network into the address/port of the public network 
assigned by the NAT/FW 20 itself without any change to the information contained in 
the message, records the corresponding relation between the above address/port of the 
private network and the address/port of the public networt assigned by the NAT/FW 
20, and then forwards the signaling message to the PROXY SERVER 30. 

[0084] Step 210: After receiving the signaling message, the PROXY SERVER 
30 analyses and processes the information carried in the load of the signaling message, 
obtains the address/port in the IP header of the signaling message, the address/port of 
the call signaling in the message load as well as the address/port of the media stream 
requested by the user terminal, and assigns addresses/ports of the public network for 
the signaling message, the call signaling as well as the media stream requested by the 
user terminal, respectively. Thereafter, the PROXY SERVER 30 modifies the 
address/port in the IP header of the signaling message into the address/port of the 
pubHc network assigned for the call by the PROXY SERVER 30, modifies the 
address/port of the call signaling in the message load into the address/port of the call 
signaling of the public network assigned for the call by the PROXY SERVER 30, 
modifies the media stream address/port in the message load into the address/port of 
the public network assigned for the media stream by the PROXY SERVER 30, and 
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records the corresponding relations pf the address/port of the IP header of signahng 
message in the private network, the address/port of the call signaling in the message 
load, and the address/port of the media stream requested by the user terminal with the 
addresses/ports in the public network assigned by the PROXY SERVER 30. 

[0085] Step 220: Forward the signaling message modified in Step 210 to the 
SoftX40. 

[0086] Step 230: When receiving a response signaling message required to be 
sent to the packet user terminal 10, the SoftX 40 forwards the response signaling 
message to the PROXY SERVER 30. 

[0087] Step 240: When receiving the response signaling message being sent to 
the packet user terminal 10 in the private network, the PROXY SERVER 30 analyzes 
the information loaded in the response signaling message, obtains the address/port in 
the IP header of the response signaling message, the address/port of response 
signaling in the load of the response signaling message, and the address/port of the 
media stream, then acquires the corresponding IP address/port in the private network, 
call signaling address/port, and media stream address/port from the self-recorded 
corresponding relations according to the address/port in the IP header of the response 
signaling message, the address/port of response signaling in the load of the response 
signaling message, and the address/port of the media stream, modifies the address/port 
in the IP header of the response signaling message into the corresponding address/port 
of the IP header in the private network, modifies the address/port of response 
signaling in the load of the response signaling message into the corresponding 
address/port of call signaling in the private network, modifies the address/port of the 
media stream carried in the response signaling into the corresponding address/port of 
the media stream in the private network, where the address/port of the media stream 
may comprise an RTP/RTCP address/port. 

[0088] By recording and modifying the addresses/ports of the signaling and 
the media stream in the message load in Step 210 and Step 240, traversal through 
NAT/FW is implemented while no reconstruction of the existing NAT/FWs and user 
terminals is needed for the traversal whichever networking mode is hereby adopted. 
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[0089] Step 250: The PRQXY SERVER' 30 sends the modified response 
signaling message to the packet user terminal 10 in the private network. 

[0090] Specifically, the PROXY SERVER 30 first sends to the NAT/FW 20 
the modified response signaling message, the designation address of which is the 
public-network address/port assigned for the call of the packet user terminal 10 by the 
NAT/FW 20. Then, the NAT/FW 20 searches and finds out the private-network 
address/port corresponding to the public-network designation address/port of the 
message from the list of corresponding relations between private-network 
addresses/ports and public-network addresses/ports recorded in the NAT/FW 20 itself, 
replaces the public-network designation address/port with the private-network 
address/port found, and after performing the address/port conversion, forwards the 
response signaling message to the packet user terminal 10. 

[0091] As can be seen from the above procedures, the relay of the FULL 
PROXY mode in accordance with this invention has following distinctions from the 
TURN mode: 

[0092] In the TURN mode, addresses/ports are assigned during the interaction 
between a TURN SERVER and a user terminal via the TURN protocol, and the 
address information within a message is generated by the terminal. The TURN 
SERVER processes address translation for the subsequent messages according to the 
information of the assigned addresses/ports before relaying and forwarding them. 
When it comes to the FULL PROXY mode, it is the device responsible for relaying 
messages who analyses and processes the call protocol, modifies the address 
informtion of the media stream carried in the message before forwarding the signaling 
message, and at the same time, makes address translation for media messages 
according to the modified address information of the media streams before forwarding 
them. 

[0093] Though illustration and description of the present invention have been 
given with reference to preferred embodiments thereof, it should be appreciated by 
ordinary persons skilled in the art that various changes in form and detail can be made 
without deviation from the spirit and scope of this invention as defined by the 
appended claims. 
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